EAP-TLS and LDAP with Windows Server 2012R2 Native Functional Level

[tj2718 at aol.com]

> On Tue, Oct 25, 2016 at 08:15:11PM -0400, Travis via Freeradius-Users wrote:
> > > I was bitten by that too. Try changing it to:
> 
> Personally (and what I do here) I would use the check-eap-tls virtual server
> so you can check the actual contents of the certificate with LDAP, rather than
> relying on the contents of the User-Name attribute. Which a clients could
> easily spoof, but they can't spoof the certificate subject.

Many thanks Matthew!  I didn't know there even was a check-eap-tls virtual
server that I could use.  Once I created a soft link and configured that I started getting
more of what I was expecting to see.

> 
> For plain users, just call "ldap" in the inner tunnel as usual.
> Possibly wrapped around with a if EAP-Type == PEAP so it doesn't get called
> for hosts (check-eap-tls won't get called for PEAP as there is no client
> certificate, so you don't need that the other way around).
> 
> But essentially - look at the LDAP lookups that FreeRADIUS is doing, and then
> go update the configuration so it does the right lookups with the data it has
> available.

I had to do some minor tweaks to my sites-enabled\default config with some
if statements:

        if (&User-Name == "host/%{TLS-Client-Cert-Common-Name}") {
                noop
        }

        elsif (!(&Ldap-Group == "CN=WiFi,OU=RSD Groups,DC=rsdtc,DC=com")) {
                reject
        }

but now all the tablets with certificates are working along with users in a LDAP-Group.

Thank you to everyone who responded with their insight and guidance.

Now on to my next post regarding iPhones with certificates doing EAP-TLS failing.

Travis